crack novas

思路

参考 http://www.hao007.net 上hao007 贴出的破解原理
license checkout 集中在函数 snsCheckOut 中,
所以只要修改其返回结果, 或者修改返回后的判断语句即可.

verdi 2007.07p2 (linux32)

0x0bc79cf5 <snsilmCheckOut+125>: call   0xbc7b864 <snsCheckOut>
0x0bc79cfa <snsilmCheckOut+130>: add $0x30,%esp
0x0bc79cfd <snsilmCheckOut+133>: cmpl $0x0,0x10(%edi)
0x0bc79d01 <snsilmCheckOut+137>: je 0xbc79d12

跟踪过程

shell>ddd Verdi

gdb>break snsCheckOut
gdb>run
gdb>finish

此时进入结果判断部分
0x0bc79cfa <snsilmCheckOut+130>: add $0x30,%esp
0x0bc79cfd <snsilmCheckOut+133>: cmpl $0x0,0x10(%edi) # edi 指向的位置存放license checkout结果
0x0bc79d01 <snsilmCheckOut+137>: je 0xbc79d12 # 这里是正常获得license 之后的跳转位置

gdb>jump 0xbc79d12

正常运行!!!

破解过程

修改判断部分的je 命令为 jne

位置 : 0x0bc79d01

[74 0f] je     0xbc79d12
->
[75 0f] jne   0xbc79d12

搜寻标志
0xbc79d00 : 0x00 0x74
0xbc79d02 : 0x0f 0x8b 0x47 0x10 0x8b 0x80 0x98 0x02
0xbc79d0a : 0x00 0x00 0x89 0x85 0xd4 0xdf 0xff 0xff
0xbc79d12 : 0x80 0xbd 0xda 0xdf 0xff 0xff 0x00 0x75
0xbc79d1a : 0x15 0xb8 0x00 0x00 0x00 0x00 0x83 0xbd

其他版本的破解

转自 http://www.hao007.net

Debu55y_v54r10-linux

http://www.hao007.net/cgi-bin/topic.cgi?forum=2&topic=23284

方法是对platform/LINUX/bin/下的
Debussy
nce2report
nCompare
netlistcom
文件查找55 89 e5 57 56 53 81 ec 3c 34
替换成为31 c0 c3 57 56 53 81 ec 3c 34
也就是前面三个字节。

debussy 2006.04

http://www.hao007.net/cgi-bin/topic.cgi?forum=2&topic=28734

查找
55 89 e5 57 56 53 81 ec 2c 34 00 00
改成
31 c0 c3

在Verdi,aliasextract,libls,nAnalyzer,fsdbreport,nce2report,netlistcom,testkdb,vericom修改

debussy 5.4v5 - NT

http://www.hao007.net/cgi-bin/topic.cgi?forum=2&topic=22750

請使用ultraedit 開啟 debussy.exe(用hex模式)

搜尋下列字串
55 8B EC 81 EC 90 01 00 00 C7 45 FC
位置: 01aa38feh
更改為
33 C0 C3 81 EC 90 01 00 00 C7 45 FC
^^ ^^ ^^
同樣的步驟,請繼續破
位置: 000beaeeh
nce2report.exe
位置: 00400ebeh
nCompare.exe
位置: 0062a8eeh
netlistcom.exe
位置: 00012b6eh
snslmgrd.exe

即可使用,謝謝大家,補充一下…..這是for nt的版本,
linux or solaris不適用喔

经我验证, 同样可用于5.3v9
search 558BEC81EC90010000C745FC
debussy.exe
位置 : 0x010B0C20
snslmgrd.exe
位置 : 0x00012b6e

debussy在linux下安装及解密

http://www.hao007.net/cgi-bin/topic.cgi?forum=2&topic=21351

具体过程:
1、打开一个terminal,进入debussy/platform/LINUX/bin/
2、启动gdb, gdb debussy回车。
3、设置断点, break snsCheckOut回车, 程序将返回一个地址,我的是0x92bf604
4、反汇编, disassemble 0x92bf600 0x92bf700 回车, 给出该程序段的内容。
5、参照proteus兄的发言译成机器码是55 89 e5 57 56 53 81 ec 5c 94 00 00,根据安装不同可能会不一样,要自己对照最下面的例子看。
6、打开KHEX编辑器,打开debussy文件(platform下的那个35M的)搜索55 89 e5 57 56 53 81 ec 5c 94 00 00,将头三位改为31 c0 c3 ,存盘退出。
7、再起debussy,一切ok.无须license,也不会trace几次就退出了。

All N0v@$ products for all Operating systems can be cr@cked easily without license file.

Just force the return value of the procedure "snsCheckOut" to "0" or fool the "compare and jump" instruction after calling "snsCheckOut"

For example,

(1) Linux version:

Before modifications:

090de7d0 <snsCheckOut>:
90de7d0:       55                      push   %ebp
90de7d1:       89 e5                   mov    %esp,%ebp
90de7d3:       57                      push   %edi
90de7d4:       56                      push   %esi
90de7d5:       53                      push   %ebx
90de7d6:       81 ec 2c 58 00 00       sub    $0x582c,%esp
90de7dc:       8a 45 18                mov    0x18(%ebp),%al
90de7df:       88 85 cf a7 ff ff       mov    %al,0xffffa7cf(%ebp)
90de7e5:       8a 55 28                mov    0x28(%ebp),%dl
90de7e8:       88 95 ce a7 ff ff       mov    %dl,0xffffa7ce(%ebp)
90de7ee:       bf 00 00 00 00          mov    $0x0,%edi
90de7f3:       83 3d a8 72 36 09 00    cmpl   $0x0,0x93672a8

After modifications:
090de7d0 <snsCheckOut>:
90de7d0:       31 c0                   xor    %eax,%eax
90de7d2:       c3                      ret

(2) Solaris 5.7, 5.8 Version

Before modifications:

10046cc98:  40 00 05 e8    call         snsCheckOut
10046cc9c:  99 3e 60 00    sra          %i1, 0, %o4
10046cca0:  80 a6 60 00    cmp          %i1, 0
10046cca4:  12 40 00 09    bne,pn %icc,0x10046ccc8
10046cca8:  80 a2 20 00    cmp          %o0, 0
10046ccac:  90 10 20 01    mov          1, %o0
10046ccb0:  02 48 00 3b    be,pt %icc,0x10046cd9c
10046ccb4:  b1 3a 20 00    sra          %o0, 0, %i0
10046ccb8:  90 10 20 00    clr          %o0
10046ccbc:  b1 3a 20 00    sra          %o0, 0, %i0
10046ccc0:  81 c7 e0 08    ret          
10046ccc4:  81 e8 00 00    restore      
10046ccc8:  02 40 00 05    be,pn %icc,0x10046ccdc
10046cccc:  90 10 20 00    clr          %o0
10046ccd0:  b1 3a 20 00    sra          %o0, 0, %i0
10046ccd4:  81 c7 e0 08    ret          
10046ccd8:  81 e8 00 00    restore      
10046ccdc:  05 00 00 00    sethi        %hi(0x0), %g2
10046cce0:  07 00 16 04    sethi        %hi(0x581000), %g3
10046cce4:  84 10 a0 01    or           %g2, 1, %g2
10046cce8:  86 10 e0 e4    or           %g3, 228, %g3
10046ccec:  85 28 b0 20    sllx         %g2, 32, %g2
10046ccf0:  90 07 a3 ff    add          %fp, 1023, %o0
10046ccf4:  92 10 c0 02    or           %g3, %g2, %o1
10046ccf8:  94 07 a3 f3    add          %fp, 1011, %o2
10046ccfc:  40 00 01 d9    call         snsParseVendorString

After modifications:
10046ccc4:  81 e8 00 00    restore      
10046ccc8:  12 40 00 05    bne,pn %icc,0x10046ccdc

(3) Solaris 5.5, 5.6 Version

Before modifications:

.text:003BB124                 set     -0x2078, %g1  03 3F FF F7 82 00 63 88
.text:003BB12C                 save    %sp, %g1, %sp  9D E3 80 01
.text:003BB130                 st      %i3, [%fp+arg_50]                     F6 27 A0 50
.text:003BB134                 mov     %i2, %l1   A2 10 00 1A

After modifications:
.text:003BB124                 mov     0, %o0   90 10 20 00
.text:003BB128                 ret    81 C7 E0 08
.text:003BB13C                 restore   81 E8 00 00

(4) Windows version:
"snsCheckOut" can not be obviously found, but it is actually in the program. Carefully tracing the program can find it.

评论

Add a New Comment
or Sign in as Wikidot user
(will not be published)
- +

相关话题

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.